Getting ripped off by just clicking a button

Last year, more than 226 million people spent $11.4 billion at retail stores and malls on Black Friday, and this year shoppers are poised to spend even more.

While Black Friday sales are expected to be at an all-time high, online shopping Monday is expected to be even greater. That is because Monday become known as “Cyber Monday,” a relatively new phenomenon that arrived with the coming of age of the Internet.

Cyber Monday came into being seven years ago as a way for online retailers to compensate for the lack of physical stores. Many online retailers saw an uptick in sales on the Monday after Black Friday as shoppers, missing out on deals on the previous Friday, went to the Internet to purchase items.

In 2010, of the 172 million Americans that did their gift shopping online, 70 percent did it at work.

Besides getting good deals, however, shoppers may also get a dose of holiday problems.

Qualys, an Internet security provider, released data on more than 1 million computers showing that half have outdated Web browsers and other applications that make them prime targets for online attacks.

“These vulnerabilities allow cybercriminals to take remote control of your machine, search your disk drive for valuable information, monitor all keystrokes and e-commerce transactions, and intercept private information, such as usernames and passwords, credit card numbers and bank account details,” said Wolfgang Kandek, CTO of Qualys, in a blog post on his company’s website.

Symantec said 61 percent of malicious sites are legitimate properties that have been compromised.

(Qualisys)

In many workplaces, browsers are automatically updated as a matter of company computer policy, and many home computers also have their operating systems automatically updated as well. While the computer operating systems have patches applied to them frequently, a computer’s main vulnerability is not the operating system itself. It is the programs that run on top of them, particularly the Web browser and small programs called “applets.” Kandek also said that even the best Web browser, Apple Safari, leaves more than 35 percent of its users at risk.

(Qualisys)

Once a virus is installed on a computer in a business, it can steal user names and passwords, as well as company data. Inside the corporate network, the virus may spread more easily than the original attack from the outside. Security analysts call this security “hard and crunchy on the outside and soft and gooey on the inside.”

“Frequently, security inside networks is a little more relaxed, because people need to share data,” said Kandek.

The worst offender in the study is Java, which left one-third of the computers on which it is installed vulnerable to attack. The Java program was running on 82 percent of the machines tested.

Programs such as Java allow the applets to run inside Web pages. These programs give the user additional functionality such as running applications, watching video, listening to music and playing games.

While the user gets an “enhanced Web experience,” it comes at a price. The programs are frequently the subject of hacking attacks in which a computer can be taken over to harvest personal information.

Qualys has a free browser check available that will advise the user if there are any vulnerabilities in the browser or plug-ins and provide the steps necessary to apply any updates available.

As people go back to work on Monday and boot up their machines, the vast majority of workers will spend at least some of their time shopping. Home shoppers will be busy as well. While these users are shopping, they may also be putting the information of their household and corporations at risk.

Many hackers will set up a fake website that looks just like the original. When the shopper enters credit card information, the information is sent directly to a server set up by the hacker. There are virtual marketplaces in which hackers buy and sell credit card numbers, social security numbers and other personal information.

Symantec, the cybersecurity firm, says 61 percent of malicious sites are legitimate properties that have been compromised.

A cyber-thief can buy a victim’s name, address, credit card number with expiration date and three-digit security code for less than the price of a cup of coffee. Bloomberg reports that an Eastern European hacker who goes by the handle “Poxxie” broke into the computer system of a U.S. company and stole 1,400 card numbers which he then sold on a hacking e-commerce site for $3.50 each.

Symantec estimates that $114 billion a year is lost to cyber-thieves. By comparison, the global market in cocaine trafficking is an estimated $85 billion. The Federal Bureau of Investigation said that the total losses from bank robberies in the United States in 2010 was just $43 million.

There are ways, however, a user can gain some level of protection.

The first thing one can do is to buy only from reputable sellers. If one is not sure of a particular seller, the best defense is not to buy. Also, it’s unwise to click on a sales offering in an email, because often the link doesn’t go to the site advertised.

In addition, any website address bar for online shopping should read “https://” rather than just “http://” – the “s” on the Web address shows that the information a user sends is encrypted. Shoppers should also look for the closed padlock symbol, which is either at the bottom of the browser window or in the Web address bar on the webpage. Clicking on the padlock should confirm the identity of the seller. The padlock symbol, however, can be counterfeited, so it’s not an absolute guarantee of security.

After a transaction, credit card statements should be checked to make sure that the charges on the statement matches the transactions. If they do not match, or there are charges the buyer does not recognize, the credit card company should be contacted immediately. In most cases, the credit card company will remove the charges from the account, cancel the credit card and issue new cards to the customer.

Trend Micro also offers some tips on what people can do to help protect themselves from online shopping fraud.

Use strong passwords and use unique passwords for the most sensitive websites

Don’t click on links; rely on bookmarks for sensitive sites instead.

Watch out for fake apps that are posing for more popular, real apps.

Be wary of free apps that ask for too much personal information.

Go easy on promo links. If it’s too good to be true, it likely is.

Use remote security apps to back up and wipe a phone or laptop in case it is lost.

Use Parental Control features to monitor what information kids might be giving out.

Scan mobile devices regularly for malicious apps.

As with all online activity, a computer should be protected with good, up-to-date security, anti-virus and anti-spyware software.

Just taking some simple precautions can help shoppers have a pleasant holiday experience.